We’ve come to the end in the Month of Facebook Bugs – today’s post marks the last published FAXX Hack for September. The series began with a vulnerability in the no. 1 Facebook application, FarmVille from Zynga. Today we end with a very similar hole in another major Zynga application, discovered about two weeks ago.

I have much to cover in recapping this month, and it will likely take a few days to put everything together. I plan on posting a full report that includes statistics and more detailed explanations on how some of these hacks work. Also, as promised, I intend to post demonstration code showing how these holes can be exploited to access user information and spread virally, in addition to standard XSS issues, such as delivering malware.

Thanks for your interest in the Month of Facebook Bugs, and please stay tuned for the upcoming final report.

Responsiveness: I notified RockYou and Facebook of this hole on Sep. 14th, and have reminded Facebook a few times since that it remains unpatched. I’ve received no communication from RockYou. Update: Facebook contacted me again this evening and said RockYou had deployed a patch, which I have confirmed.

This is the second episode of the Social Media Security Podcast recorded September 25, 2009. This episode was hosted by Scott Wright, Tom Eston and our new co-host Kevin Johnson. Below are the show notes, links to articles and news mentioned in the podcast:

Introducing our new co-host, Kevin Johnson. Kevin is a Senior Security Analyst for InGuardians and is also an instructor for the SANS Institute, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Penetration Testing and Ethical Hacking courses.

Kevin gives a great non-technical overview of a web application vulnerability called Cross-site Scripting (XSS). Many of the Facebook applications we found in the “month of Facebook bugs” were vulnerable to XSS. Kevin describes what XSS is, how it works and how dangerous this vulnerability is to social networking applications like Facebook.

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. You can also subscribe to the podcast now in iTunes! Thanks for listening!

Responsiveness: I received no communication at first from the developers, but Facebook did. The hole was patched about a week after notification. After patching, the developer get in touch to confirm the fix.